GNOME trouble
by Noel Davis08/27/2003
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in BitKeeper, the GNOME Display Manager, rcpd, ViRobot Linux Server,
OpenSLP, eMule, lMule, xMule, netris, and autorespond.
- BitKeeper
- GNOME Display Manager
srcpd- ViRobot Linux Server
- OpenSLP
eMule,lMule, andxMulenetrisautorespond
BitKeeper
It has been reported that the trigger functionality of the source-control system BitKeeper can be exploited using a carefully crafted patch. Details of this vulnerability have been withheld, pending a patch from BitMover. It is also reported that exploits for this vulnerability exist, but have not been released to the public. This problem is reported to affect all versions of BitKeeper through 3.0.2.
Users of BitKeeper should exercise care as to what patches are applied
and can disable the trigger functionality by adding export
BK_NO_TRIGGERS=YES to their .profile.
GNOME Display Manager
The GNOME Display Manager can be manipulated by a local attacker to allow any file on the system to be read. A flaw in the GNOME Display Manager causes the ~/.xsession-errors file to be read using root permissions. As this file is under the control of the user, it can be replaced with a symbolic link that points to any file on the system, which will then be read by the GNOME Display Manager using root's permissions. This flaw is reported to affect versions 2.4.1.6 and earlier of the GNOME Display Manager, which contain the feature "examine session errors."
A bug in XDMCP (the X Display Manager Control Protocol) can, under some conditions, be exploited by an attacker in a denial-of-service attack that crashes the GNOME Display Manager daemon.
Users should watch their vendor for updated packages that repair these problems. Red Hat has released updated packages for Red Hat Linux 7.1, 7.2, 7.3, 8.0, and 9.
|
Related Reading 
Linux Security Cookbook |
srcpd
srcpdis a daemon that implements SRCP (the Simple Railroad Command
Protocol) and allows the control of a digital model railroad. It is
vulnerable to several buffer overflows that can be used to crash the
server, execute arbitrary code with the permissions of the user
running the daemon, cause the trains to miss their scheduled
departure times, and, under some rare conditions, can cause trains to
crash. A program to automate the exploitation of these
vulnerabilities has been released to the public.
It is recommended that users protect srcpd from access by unauthorized
hosts and networks using firewalling tools, that it be executed by a
user with no special permissions, and that users consider disabling
srcpd until it has been updated with a repaired version.
ViRobot Linux Server
Version 2.0 of the anti-virus tool ViRobot Linux Server is reported to
be vulnerable to several buffer overflows that can be exploited by a
remote attacker to execute code with root permissions. The ViRobot
Linux Server installs many set-user-id-bit cgi-bin applications, some
of which are vulnerable to buffer-overflow-based attacks. A script to
automate a local attack that results in a root shell has been
released. It is not known if other versions of ViRobot Linux Server are
vulnerable.
Users should watch their vendor for a repaired version of ViRobot Linux Server and recommended workarounds. One possible workaround is to remove the set-user-id bits from all ViRobot Linux Server binaries; it is not known if this will affect the performance of the anti-virus tool.
OpenSLP
OpenSLP is an implementation of the Service Location Protocol V2, used by applications to discover networked services in an enterprise network. OpenSLP is vulnerable to a symbolic-link temporary file race condition attack in its init script that can be exploited by a local attacker to overwrite arbitrary files on the system, with the permissions of the user running OpenSLP's init script (in most cases, root).
It is recommended that users upgrade to version 1.0.11, which contains a safe init script and is reported to contain additional repairs and features.
eMule, lMule, and xMule
eMule, lMule, and xMule are open source file sharing clients for a
peer-to-peer network named the eDonkey2000 network. eMule is a Windows
client and lMule and xMule are Unix clients that use the wxWindows
library. These clients are reported to be vulnerable to several
vulnerabilities, including buffer overflows, format-string errors, and
an attack similar to a double-free vulnerability.
Users of eMule should upgrade to version 0.30a or newer. xMule 1.4.3
has been released and repairs several of the vulnerabilities. lMule
does not appear to have released a new version that repairs any of the
vulnerabilities. Users should watch for repaired versions of lMule and
xMule, and should consider not using them until they have been
fully repaired.
|
Also in Security Alerts: |
netris
The networked game netris is vulnerable to a buffer overflow that a
hostile netris server could abuse to execute code on a connecting netris
client with the permissions of the user running the client.
Debian has released a repaired netris package. Users of other
distributions should watch their vendors for updated packages.
autorespond
autorespond is an automated email responder distributed with qmail.
When a user has configured qmail to use autorespond, it may be
exploitable, under some conditions, by a remote attacker to execute
arbitrary code with the permissions of the user. It has been reported
that this vulnerability is not thought to be exploitable, due to some
of the conditions necessary to exploit it.
It is recommended that users refrain from using autorespond until it
has been repaired. If autorespond is exploitable, it would not be the
first time that a vulnerability thought to not be exploitable was.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
